Hackers Hid Malware in CCleaner for Nearly a Month

This site may earn affiliate commissions from the links on this page. Terms of use.

CCleaner, the temporary file cleaner and registry optimizer of generally dubious utility in this day and age, has been flagged as containing malware. Worse, the company distributed infected versions of its products for nearly a month before realizing the problem. The infected payload affects two CCleaner products — CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. CCleaner Cloud users should have gotten an update already, but if you use CCleaner and don’t have automatic updates enabled, it would be a good idea to check the situation now.

Talos Intelligence has published a blog post detailing its research and findings, and they aren’t great. CCleaner is a popular utility, with an average of five million downloads per week (over two billion downloads cumulatively). From August 15 to September 12, the 5.33 version of CCleaner was infected by a malware payload. Troublingly, the malware was digitally signed with an appropriate digital certificate; Talos wrote, “the presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. ”

The characteristics of the malware, and the fact that it was signed with a valid certificate, suggests that CCleaner’s developer, Piriform Ltd, has been compromised. The malware checks to see if the account owner has executive privileges and waits 600 seconds post-boot to avoid detection algorithms. Once it has detected an end user does have Admin access, and has performed its other validation checks, it starts encrypting system data and firing it back to its command and control server.

The entire process is laid out below, in a handy flow chart.

CCleaner is owned by Avast, the antivirus company, and has already issued a public apology and statement on the incident. The company describes the malware as a “two-stage backdoor capable of running code received from a remote IP address on affected systems.” Piriform notes that as of this writing, “we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis.”

Without more to go on, it’s impossible to assign blame for the incident, but the hackers probably made off pretty well. A security product is the last place people expect to find a compromised software version, both because of the nature of the program and the fact that a security vendor is responsible for writing and maintaining it. For better or worse, we tend to view such companies as intrinsically better at self-security than other firms. On the whole, they very well may be, but incidents like this demonstrate that no one, not even a security vendor, can afford to take the topic lightly.

In addition, we’d generally recommend against using registry cleaners in this day and age. While CCleaner does perform a number of non-security useful functions, like recovering disk space, the days of needing software like this to keep Windows running smoothly are generally over.